next up previous contents
Next: File Types Up: General Types Previous: Security Types   Contents


Device Types

The device.te file contains declarations for device types. The device directory type, device_t, is used to control access to the directory containing device special files. All domains are granted read and search permissions to directories of this type. This type is also used as the default type for files in this directory.

The null device type, null_device_t, is used to permit access to the null device. All domains are granted read and write permissions to this type. The random device type, random_device_t, is used to permit access to devices used to obtain random values. All domains are granted read permissions to this type.

The tty device type, tty_device_t, is used to control access to tty devices. Tty devices are initially labeled with this type. The login program was modified to change the security context on the user terminal based on the user's security context. Derived types are defined for each user domain, e.g. user_tty_device_t and sysadm_tty_device_t, for this purpose. A distinct type, devtty_t is used for /dev/tty since it can be accessed by all domains.

The console device type, console_device_t, is used to control access to the console. Currently, all domains are granted read and write permissions to this type. This will be changed to only grant permissions for those domains that require access to the console device.

The memory device type, memory_device_t, is used to control raw access to memory. The klogd domain is allowed to read this type. The X server domain is currently allowed to read and write this type, although the portion of the X server that requires such access should be separated.

The fixed disk device type, fixed_disk_device_t, is used to control raw access to fixed disk devices. The removable device type, removable_device_t, is used to control raw access to removable devices. The file system administration program domain (used for programs such as fsck and swapon) is allowed to read and write these types. The administrator domain is currently allowed to directly read and write fixed disk devices to run /sbin/lilo, but this program will be moved into its own domain.

The clock device type, clock_device_t, is used to control access to the real time clock. The initrc_t domain is allowed to read and write this type. Note that a domain can set the system time without having access to this type.

The misc_device_t type is used to permit access to miscellaneous devices that have not yet been studied for proper control, e.g. /dev/sequencer, /dev/dsp, /dev/audio, /dev/fb. The user domains are allowed to read and write this type. These devices require further study to identify proper controls and may require changes to the pam_console module to set the security context on these device files based on the user security context.

The psaux_t type is used to control access to the /dev/psaux mouse device. The initrc_t domain is allowed to read this type for kudzu. The gpm, X server, and user domains are allowed to read and write this type. Properly controlling access to this device requires further study.


next up previous contents
Next: File Types Up: General Types Previous: Security Types   Contents